Gas pipeline operators in the U.S. had to shut down several plants for two days after their computers were infected with extortion software.
Attackers Distributed Malware On The Company’s Computer Network
With the help of a manipulated link in an email, criminals temporarily shut down a natural gas compression plant in the United States. The attackers initially distributed malware on the company’s computer network. With their help, they were able to work their way into the Operational Technology network, from which the machines in the industrial plant are monitored and controlled. They placed so-called ransomware, encryption Trojans, in both networks, which made all files accessible to them unusable.
The incident was made public by the Cybersecurity and Infrastructure Security Agency, which is located in the DHS Ministry of Homeland Security. It sufficient to draw a picture of the possible next escalation stage of the global ransomware plague: attacks on critical infrastructures, in which the actual victim is not the operator but the population.
The CISA report shows that the perpetrators started with a spear phishing link. Typically, they send individually tailored e-mails to employees who should tempt them to click a link. The malware or its first stage is then downloaded unnoticed to the victim’s computer via the website behind it.
Several Plants Had To Be Shut Down
The fact that the perpetrators managed to get out of the plant operator’s office network into the area speaks for suboptimal security measures. So it is in the CISA report. Normally, such networks should be physically separated
The Federal Office for Information Security also points this out to companies in IT and in the industry-specific security standards for operators of critical infrastructures. A spokesman told that in classic extortion attempts, it doesn’t make a big difference whether the IT is infected as well as the IT.